Using IPTables to route both dynamic local address and static addresses provided by ISP?

Using IPTables to route both dynamic local address and static addresses provided by ISP?

[Gregory Ray]

Hi guys, I am running iptables as a dhcp router from a pppoe
connection, can I have it route the standard local ips to the
workstations but also have my other servers utilize the static ips
available in the block from my isp? Any help would be appreciated.

Thanks,
Greg

Re: Using IPTables to route both dynamic local address and static addresses provided by ISP?

[Pascal Hambourg]

Hello,

Gregory Ray a écrit :
> I am running iptables as a dhcp router from a pppoe connection

Iptables is neither a router nor a DHCP server. Do you mean "I am
running a Linux box working as a DHCP server and as a router" ?

> can I have it route the standard local ips to the
> workstations but also have my other servers utilize the static ips
> available in the block from my isp?

Sure. I suppose that the privante addresses are masqueraded with the
PPPoE public address. For the public static block, you have two options.

1) Assign private addresses to the servers and use DNAT+SNAT to create
1:1 mapppings with public addresses from the static block.

2) Assign public addresses from the static block to the servers.

Are the servers and workstations on the same LAN ?
What is the size of the public static block and how many public servers
do you have ?

Re: Using IPTables to route both dynamic local address and static addresses provided by ISP?

[y c]

Here is an idea using brctl & ebtables, not iptables. Looks like you
need your box runs as a router and switch. It's very common use on DSL
routers called "Triple Play", or port based VLAN. I assume your
topology as: eth0(Internet), eth1(Server), eth2, eth3(private LAN).
1) Create a bridge for eth2 & eth3 with "brctl". Call it br0.
2) Dial out with eth0, you will get ppp0 for Internet.
3) Create a bridge for eth0 & eth1 with "brctl". Call it br1.
4) Set up rules with "ebtables", INPUT chain to DROP packets from eth1.
I didn't try it on my box, but I suppose it works.
Any feed back is appreciated.
Thanks

2009/9/7, Pascal Hambourg <pascal.mail@plouf.fr.eu.org>:
> Hello,
>
> Gregory Ray a écrit :
>> I am running iptables as a dhcp router from a pppoe connection
>
> Iptables is neither a router nor a DHCP server. Do you mean "I am
> running a Linux box working as a DHCP server and as a router" ?
>
>> can I have it route the standard local ips to the
>> workstations but also have my other servers utilize the static ips
>> available in the block from my isp?
>
> Sure. I suppose that the privante addresses are masqueraded with the
> PPPoE public address. For the public static block, you have two options.
>
> 1) Assign private addresses to the servers and use DNAT+SNAT to create
> 1:1 mapppings with public addresses from the static block.
>
> 2) Assign public addresses from the static block to the servers.
>
> Are the servers and workstations on the same LAN ?
> What is the size of the public static block and how many public servers
> do you have ?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
BRs
nuynehc@gmail.com

Re: Using IPTables to route both dynamic local address and static addresses provided by ISP?

[Gregory Ray]

Yes, sorry for the confusion and my newbness, I am using a linux box
(Ubuntu distro) as a DHCP server. I have eth0 to internet via pppoe
(high speed fiber).

The second option sounds best since I already have the public
addresses assigned to the server but I don't know what to assign to it
for a gateway.

The ISP provided us with 8 or 10 (I forget exactly how many) public
IPs. I have the servers (two of them) plugged directly into the switch
(which is plugged into the linux box). I then have multiple wireless
routers also plugged into the switch to provide internet access over
wifi to different parts of the building (around 20 workstations in
total).

On Mon, Sep 7, 2009 at 2:31 AM, Pascal
Hambourg<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Gregory Ray a écrit :
>> I am running iptables as a dhcp router from a pppoe connection
>
> Iptables is neither a router nor a DHCP server. Do you mean "I am
> running a Linux box working as a DHCP server and as a router" ?
>
>> can I have it route the standard local ips to the
>> workstations but also have my other servers utilize the static ips
>> available in the block from my isp?
>
> Sure. I suppose that the privante addresses are masqueraded with the
> PPPoE public address. For the public static block, you have two options.
>
> 1) Assign private addresses to the servers and use DNAT+SNAT to create
> 1:1 mapppings with public addresses from the static block.
>
> 2) Assign public addresses from the static block to the servers.
>
> Are the servers and workstations on the same LAN ?
> What is the size of the public static block and how many public servers
> do you have ?
>



-- 
Gregory Ray
CTO, Seek Mobile Interactive, Inc.

---

This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain information that is
confidential and protected by law from unauthorized disclosure. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.

Re: Using IPTables to route both dynamic local address and static addresses provided by ISP?

[Pascal Hambourg]

Gregory Ray a écrit :
> Yes, sorry for the confusion and my newbness, I am using a linux box
> (Ubuntu distro) as a DHCP server. I have eth0 to internet via pppoe
> (high speed fiber).
> 
> The second option sounds best since I already have the public
> addresses assigned to the server but I don't know what to assign to it
> for a gateway.
> 
> The ISP provided us with 8 or 10 (I forget exactly how many) public
> IPs. I have the servers (two of them) plugged directly into the switch
> (which is plugged into the linux box).

It is probably a block of 8 addresses, i.e. /29 (29-bit is the prefix
length, netmask 255.255.255.248). Minus the two reserved network and
broadcast addresses and one address for the router box, this leaves 5
addresses available for your servers.

Example with the block 192.0.2.0/29 :
Address range :  192.0.2.0 - 192.0.2.7
Network address : 192.0.2.0
Broadcast address : 192.0.2.7
Host range : 192.0.2.1 - 192.0.2.6
Router address : 192.0.2.1 (could be any address in the host range)
Server range : 192.0.2.2 - 192.0.2.6

On the router box, you add the address 192.0.2.1 with prefix length /29
or netmask 255.255.255.248 to the LAN interface. This address will be
used as the default gateway by servers. The router box LAN interface
will have two addresses, one in the private subnet used by the
workstations and one in the public subnet used by servers.

On each server, you add an available address in the range 192.0.2.2 -
192.0.2.6 with prefix length /29 or netmask 255.255.255.248 and default
gateway 192.0.2.1.

Make sure that the SNAT/MASQUERADE iptables rule matches only the
private addresses, not the public ones.

> I then have multiple wireless
> routers also plugged into the switch to provide internet access over
> wifi to different parts of the building (around 20 workstations in
> total).

Wireless routers or access points (transparent wireless-ethernet bridges) ?